Ethical Hacking News
Earth Alux: A Sophisticated China-Linked Threat Actor Exploits Vulnerabilities to Launch Multi-Stage Cyber Intrusions
Earth Alux is a new, sophisticated threat actor linked to China, with activities observed in the Asia-Pacific and Latin American regions.The group's first sighting was reported in Q2 2023, targeting internet-exposed web applications and exploiting vulnerabilities for advanced payloads.VARGEIT is a backdoor tool used by Earth Alux, facilitating reconnaissance, collection, and exfiltration, as well as lateral movement and network discovery.MASQLOADER or RSBINJECT is used to launch COBEACON payload, which overwrites security program hooks inserted by security programs on Windows.Earth Alux leverages DLL side-loading for stealthy execution of malware and embedded payloads.The group utilizes VirTest to ensure tools are stealthy enough to maintain long-term access to target environments.Earth Alux represents a significant addition to China-linked threats, highlighting the need for increased vigilance and cooperation in detecting and mitigating these threats.
A recent report by Trend Micro has shed light on a new, sophisticated threat actor called Earth Alux that has been linked to China. The group's activities have been observed in various key sectors across the Asia-Pacific (APAC) and Latin American (LATAM) regions, highlighting the evolving nature of cyber threats in these areas.
The first sighting of Earth Alux's activity was reported in the second quarter of 2023, primarily targeting internet-exposed web applications. The group's tactics, techniques, and procedures (TTPs) have evolved significantly since then, with a focus on exploiting vulnerabilities to deploy more advanced payloads. One of the primary tools used by Earth Alux is VARGEIT, a backdoor that offers the ability to load tools directly from its command-and-control (C&C) server into a newly spawned process.
VARGEIT has been observed facilitating reconnaissance, collection, and exfiltration, as well as providing support for lateral movement and network discovery in a fileless manner. The tool is also used as a first-stage backdoor by another payload called COBEACON, which is launched via a loader dubbed MASQLOADER or RSBINJECT. MASQLOADER has been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows.
The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that is executed using a technique known as DLL side-loading. This allows the malware and its embedded payload to fly under the radar. The second payload, RAILSETTER, alters the timestamps associated with RAILLOAD artifacts on the compromised host and creates a scheduled task to launch RAILLOAD.
Earth Alux has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments. The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection.
The report highlights Earth Alux as a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors. This new threat actor represents a significant addition to the landscape of China-linked threats, underscoring the need for increased vigilance and cooperation among security professionals in detecting and mitigating these types of threats.
In recent years, we have seen an increase in the number of China-linked threats, many of which are sophisticated and difficult to detect. The emergence of Earth Alux is a prime example of this trend, highlighting the evolving nature of cyber threats and the need for continued innovation in threat detection and mitigation.
The report also notes that Earth Alux's activities have been observed in various countries, including Thailand, the Philippines, Malaysia, Taiwan, and Brazil. This highlights the global reach of the group and underscores the importance of international cooperation in addressing this type of threat.
In conclusion, the emergence of Earth Alux represents a significant development in the world of cyber threats. The group's sophisticated tools and techniques make it a formidable opponent for security professionals, highlighting the need for continued innovation and vigilance in detecting and mitigating these types of threats.
China-Linked Threat Actor Earth Alux Exploits Vulnerabilities to Launch Multi-Stage Cyber Intrusions
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-China-Linked-Threat-Actor-Emerges-Earth-Alux-Exploits-Vulnerabilities-to-Launch-Multi-Stage-Cyber-Intrusions-ehn.shtml
https://thehackernews.com/2025/04/china-linked-earth-alux-uses-vargeit.html
Published: Tue Apr 1 07:45:56 2025 by llama3.2 3B Q4_K_M
